Enforcing SSL for GitLab Pages

Reading time ~1 minute

While Blogger and GitHub now turn on SSL by default, neither support it for custom domains. Some suggested solutions around this are to put an SSL proxy layer between the browser and the above providers, but that breaks the expected end-to-end encryption that the end user expects and allows for MitM attacks. As such, I won’t mention the company that keeps touting this as a real solution.

I eventually came across GitLabs and happily they support SSL not just on their *.gitlabs.io pages, but also for custom domains. Their docs and these blog posts really help to get you started.

Unfortunately, while they do support SSL on all their pages and with custom domains, there does not appear to be a way to enforce SSL on all your pages. This means that if someone comes into your page over HTTP they will not get automatically redirected to your secure page. While this is not a big deal for static content that is not handling sensitive information, it does defeat the purpose of encrypting your page in the first place. Since you can’t put up an .htaccess file or alter the webserver config, you’ll have to perform any SSL enforcement through your HTML/CSS/JS. The JavaScript workaround that I’ve found is to put the following snippet in the head of all my HTML documents.

<script type="text/javascript">
if (window.location.protocol != "https:")
        window.location.protocol = "https";
</script>

or as I’ve encapsulated it in my Jekyll based header


{% if site.enforce_ssl %}
<script type="text/javascript">
if (window.location.protocol != "https:")
        window.location.protocol = "https";
</script>
{% endif %}

With the above, as long as the browser has JavaScript enabled, then the executed script will redirect them to the SSL version of the page. It’s not perfect, but it’s functional.

Note that in the Jekyll version, I add a bit of configuration logic so that on my local machine, I can test changes without enforcing.

piTravel Clock Build

![da clock](/images/posts/2018-travel-clock-sm.jpg)Setting a clock should be a thing of the past. There are enough radiosignals bouncing...… Continue reading

Let's Encrypt Gitlab Again...

Published on July 25, 2018